Management and authentication in hosted directory service
Abstract
A user, group, and device management and authentication system allows administrators to manage one or more directories with devices that are not associated with a domain of the one or more directories via a set of APIs. The system also allows applications and services that do not have direct access to a list of directory users to access the one or more directories. The user, group, and device management and authentication system may be an add-on system that works in conjunction with a centrally-managed directory service to provide such functionality. For example, the system may generate an access token associated with a particular directory that can be used by a service accessed by an administrator to call an API provided by the system. The API call may be translated into a directory-specific API call that can be used to perform an action in the particular directory.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1. A computer-implemented method of managing one or more directories, the method comprising:
receiving, from an application service in communication with a user device over a network, a call for an operation, wherein the call includes an access token and an operation-specific parameter;
determining that the access token is valid;
determining, based at least in part on the access token being valid, a directory in a plurality of directories associated with the access token;
determining that the access token maps to a directory service token;
transmitting the directory service token and the operation-specific parameter to an agent associated with the determined directory, wherein receipt of the directory service token and the operation-specific parameter causes the agent to perform the operation;
receiving results of the performed operation from the agent; and
transmitting the results of the performed operation to the application service.
2. The computer-implemented method of claim 1 , wherein transmitting the directory service token to an agent associated with the determined directory further comprises transmitting the directory service token to the agent associated with the determined directory such that the operation is performed in the determined directory.
3. The computer-implemented method of claim 1 , wherein the user device is not associated with the determined directory.
4. The computer-implemented method of claim 1 , wherein determining that the access token is valid further comprises determining that the access token is valid in time and for a managed directory service that the user device is attempting to access.
5. The computer-implemented method of claim 1 , wherein determining a directory in the plurality of directories associated with the access token comprises querying a directory database that comprises an association between the access token and the directory in the plurality of directories.
6. The computer-implemented method of claim 1 , wherein the operation comprises adding a user to the determined directory based on the operation-specific parameter.
7. The computer-implemented method of claim 6 , wherein the agent instructs the determined directory to add the user to the determined directory using the operation-specific parameter.
8. The computer-implemented method of claim 1 , wherein the operation-specific parameter comprises a password.
9. A system comprising:
a plurality of computing systems, wherein a computing system hosts a directory in a plurality of directories; and
a computing resource service provider system, the computing resource service provider system in communication with the plurality of computing systems, the computer resource service provider system configured with specific executable instructions that, when executed, cause the computing resource service provider system to at least:
receive, from an application service in communication with a user device over a network, a call for an operation, wherein the call includes an access token and an operation-specific parameter;
determine that the access token is valid;
determine, based at least in part on the access token being valid, a directory in the plurality of directories associated with the access token;
determine that the access token maps to a directory service token;
transmit the directory service token and the operation-specific parameter to an agent associated with the determined directory, wherein receipt of the directory service token and the operation-specific parameter causes the agent to perform the operation;
receive results of the performed operation from the agent; and
transmit the results of the performed operation to the application service.
10. The system of claim 9 , wherein the specific executable instructions, when executed, further cause the computing resource service provider system to at least transmit the directory service token to the agent associated with the determined directory such that the operation is performed in the determined directory.
11. The system of claim 9 , wherein the user device is not associated with the determined directory.
12. The system of claim 9 , wherein the specific executable instructions, when executed, further cause the computing resource service provider system to at least determine that the access token is valid in time and for a managed directory service that the user device is attempting to access.
13. The system of claim 9 , wherein the specific executable instructions, when executed, further cause the computing resource service provider system to at least query a directory database that comprises an association between the access token and the directory in the plurality of directories.
14. The system of claim 9 , wherein the operation-specific parameter comprises a password.
15. The system of claim 9 , wherein the operation comprises adding a user to the determined directory based on the operation-specific parameter.
16. A non-transitory computer storage system comprising a non-transitory storage device, said computer storage system having stored thereon executable program instructions that direct a computer system to at least:
receive, from an application service in communication with a user device over a network, a call for an operation, wherein the call includes an access token and an operation-specific parameter;
determine that the access token is valid;
determine, based at least in part on the access token being valid, a directory in the plurality of directories associated with the access token;
determine that the access token maps to a directory service token;
transmit the directory service token and the operation-specific parameter to an agent associated with the determined directory, wherein receipt of the directory service token and the operation-specific parameter causes the agent to perform the operation;
receive results of the performed operation from the agent; and
transmit the results of the performed operation to the application service.
17. The non-transitory computer storage system of claim 16 , wherein the executable program instructions further direct the computer system to at least transmit the directory service token to an agent associated with the determined directory such that the operation is performed in the determined directory.
18. The non-transitory computer storage system of claim 16 , wherein the user device is not associated with the determined directory.
19. The non-transitory computer storage system of claim 16 , wherein the executable program instructions further direct the computer system to at least determine that the access token is valid in time and for a managed directory service that the user device is attempting to access.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.